a CVE dispute. What a great system.
A few years years ago the curl project signed up and became a CNA. This means that we are masters of and can allocate our own CVE identifiers. For any security problems within our territory, it is we who decides if the issue should get a CVE our not. No more bogus CVEs. 57 CVEs … Continue reading a CVE dispute →
@chris @bagder There's a meme going around that CVEs are resume/CV fodder for budding hackers looking to break into infosec.
Maybe I'm biased because nothing I reported publicly ended up with a CVE, but if I'm hiring I'll look at research and judge it on its merits, not whether it got assigned a CVE or not.
@wolf480pl @chris @bagder I don't know a generic answer to that question, we've had a few situations like that where we can give TA specific things to ask about (all specific to our org and the role), but I don't think a CVE being assigned to the applicant is particularly helpful there though?
Not sure I'd want to work for any org with "at least x CVEs to ride" as part of the hiring process, but I can afford to be picky right now.
I agree that it’s not worthy of a CVE. In addition to your reasoning I see another argument for why a CVE is not warranted. Even if an attacker could make resolution work for this invalid hostname, what attack could they actually perform? If they control the wildcard certificate they can use it for any subdomain, so what sort of attack can be performed using the invalid domain which couldn’t have been achieved using a valid subdomain?
There is one thing about the bug which puzzles me. I would have expected the validation of domain matching certificate to have been performed by the TLS library and not in curl, so what’s the reason this is a bug in curl rather than the library?
@bagder would nominating https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat as your CNA's root help avoid MITRE?
MITRE sits above other roots, but if the processes flows to Pete's group first it might squelch the noise https://www.cve.org/programorganization/Structure
@bagder @eslerm Perhaps they pitched a fit to Red Hat & appealed it up to MITRE. I’m not familiar with the process, but this seems like the type of person to use it. They had an AI find the bug and write the report, then went back to it to seek validation. Meanwhile, their AI entirely missed the invalid DNS issue. Meanwhile, I brought the same URL to ChatGPT and it pointed out the invalidity immediately.
AI is rotting brains.
Josh Bressers
daniel:// stenberg://
Master of Potate 🥔
Violet/Multi (migrated account)
spartanatreyu
fraggLe!
Wolf480pl
kasperd
Mark Esler
Prometheus